Steven
Wed May 17 20:35:00 CDT 2006
Is the printer connected to computer that has the guest account enabled
perhaps that is allowing unauthenticated access to the printer?? You might
check the security log on that computer for logon failures or for successful
logons from a point in time before the problem began to see how users were
accessing the computer assuming that auditing for logon events is enabled on
that computer which it might be by default depending on the operating
system. Another thing to try is to grant permissions to domain users.
What I would probably do at this point is to restore the security options
you mention below to what they were before [or at least the ones for
anonymous access first] to see if that restores normal operations. If it
does then you know for sure that it is related to a security option and I
would enable the new changes one at a time until the problem arises again to
pinpoint what the problem is. You can use rsop.msc on an XP Pro/W2003
computer to see what settings are actually being applied or check via Local
Security Policy. If you can not change a setting in Local Security Policy on
an XP Pro/W2003 computer that means that the current setting is being
enforced by a domain level GPO. The link below may be helpful in that it
describes possible consequences of the security options you are concerned
about for various configurations. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 --- scroll
down to security settings
"Hutchy" <Hutchy@discussions.microsoft.com> wrote in message
news:B3853BEC-956B-428E-9638-D976494DD9AC@microsoft.com...
> Thanks Steven, I suspected the same as you. So what I did was added the
> proper security group to the printer properties with read access that the
> user was a member of. Therefore explicity allowing users to get
> permissions
> to that printer from the associated group rather than the EVERYONE group.
>
> This too was not working - which has let me to believe that if people cant
> get a print mapping via their proper security group - then what good is
> the
> security setting to remove the option to allow anon users to get access
> through the EVERYONE group when the GPO settings are only applied to
> authenticated users anyhow?
>
> Its a mystery.
>
> "Steven L Umbach" wrote:
>
>> Without knowing a lot more about your network configuration based on what
>> you have showed so far I would suspect the security option for Network
>> access: Let Everyone permissions apply to anonymous users (Disabled). It
>> would be easy enough to try and undo the changes one at a time in the
>> Group
>> Policy where they were enabled, then running gpupdate on the domain
>> controller, and then rebooting or running gpupdate /force on the
>> computers
>> that are being affected [other than domain controllers] by that policy to
>> speed up propagation and then try again. Without rebooting or using
>> gpupdate
>> it cab take up to two hours for Group Policy propagation changes to apply
>> to
>> member computers. If it is not Network access: Let Everyone permissions
>> apply to anonymous users (Disabled) I would work my way up from the
>> bottom
>> of the list you show. --- Steve
>>
>>
>> "Hutchy" <Hutchy@discussions.microsoft.com> wrote in message
>> news:8E48FD7D-F2E3-4F0F-A03F-47C0F26DBFE9@microsoft.com...
>> > Hi guys,
>> >
>> > Got a bit of a complicated one so put your thinking caps on.
>> >
>> > We've gone through recently and tightened down our Win2k3 domain (with
>> > only
>> > WinXP clients) using Group Policy.
>> >
>> > Since we have made some changes, most of which are recommended or
>> > required,
>> > clients are no longer having their printers mapped via logon script.
>> >
>> > These are the Security GPO changes made:
>> >
>> > - Domain controller: LDAP server signing requirements (Require
>> > signing )
>> > - Domain member: Digitally encrypt or sign secure channel data (always)
>> > (Enabled)
>> > - Domain member: Require strong (Windows 2000 or later) session key
>> > (Enabled)
>> > - Network access: Allow anonymous SID/Name translation (Disabled)
>> > - Network access: Do not allow anonymous enumeration of SAM accounts
>> > (Enabled)
>> > - Network access: Do not allow anonymous enumeration of SAM accounts
>> > and
>> > shares (Enabled)
>> > - Network access: Let Everyone permissions apply to anonymous users
>> > (Disabled)
>> >
>> > As for the printers users were getting their access via the EVERYONE
>> > group.
>> > I have confirmed that as far as the Printer groups go, everyone is a
>> > member
>> > of their associated groups.
>> >
>> > The logon script says that if you are a member of that group, then map
>> > that
>> > specific printer. Since the groups arent assigned to the printers, they
>> > were
>> > naturally getting their access (previously) via the EVERYONE group.
>> >
>> > Since the above security changes, users seem to have lost their access
>> > to
>> > the EVERYONE group and the logon script is no longer installing the
>> > printers
>> > for them.
>> >
>> > I can confirm that the logon script has not changed since no one here
>> > knows
>> > VB :o)
>> >
>> > It was definitely one of the above changes. Can anyone think of which
>> > one?
>> >
>> > Thankyou
>> >
>> > Hutchy
>>
>>
>>